It’s an interesting theory but on thinking about I am inclined to disagree that it holds water.
Yes - you are able to use your own SSL certificate with CloudFlare without issuing them the private key. They only offer their SSL for users who want it (lessened security is better than no security is a fair way to argue that)
I would argue no based on point #1, but I suppose that would really depend on how many of that 10% use CloudFlare’s own HTTPS (and collect relevant data that would be otherwise unobtainable).
As far as I can tell the only possible way to have access to encrypted data is to hold the private key. I have no idea what percentage of the internet would be needed to start doing big data sniffing on such a scale but frankly I can believe that a nation state would likely have access to that kind of data regardless.
Going on the technology today - I hardly think it’s a matter of technical expertise. I find their product itself is fairly trivial (at least for the most part) with it being a glorified reverse proxy - the difficult and impressive part would be amassing the technical resources and infrastructure that the company has but that’s after 11 years. CloudFlare has a large internet backbone and, I believe, actually powers significant amounts of internet infrastructure. But if we were to consider the 2010 offering, I’m sure it’s not something out of the league of most developers with an understanding of the area.
I mean that really depends on the individuals and their abilities. With that said, however, I personally could easily see even a lone but abled Harvard educated student completing a project like that in a year and half.
Something of note perhaps is that whilst they might have been dealing with a higher percentage of the internet in 2010, the usage and needs of the internet were vastly, vastly lower than they were 5 years later in 2015 and certainly I cannot overstate how far less than they are now.
Additionally, I think it should be reiterated that there is a legitimate service that this product brings to national security which is that it offers SSL and firewall services to American organizations that couldn’t perhaps offer those up to standards themselves which protects the individual data of the Americans that use those services from malicious actors.
I think you're overlooking the question number 1, which means you're overlooking the core of the issue.
As far as I know, there's no way to prevent Cloudflare from having access to the unencrypted data, even with the most strict SSL mode (Full). When you set the SSL certificate encryption mode to Full, it only means that the request will be encrypted between the user and Cloudflare servers, and encrypted between cloudflare servers and your server, while requiring validation from a CA authority.
Nope, that's not how it works. "Strict" only means the SSL certificate on your server, for the request between Cloudflare and your server will ALSO be validated against a public CA authority. With "full" only, it uses the certificate but doesn't care if it's validated by a CA authority or not
Either way, Cloudflare acts as a middle-man between both ends of the request, and has access to the unencrypted request and response, as it holds the private keys for both while transferring the request after going through it's internal firewalls
That’s patently false as I can prove and encourage you to test the setting. The fact that my origin certificate is served without me giving them the private key means they must be serving it as-is without deceypting.
It doesn't need to have access to the private key of the certificate installed on your server, as Cloudflare is the man in the middle between request/response.
The HTTPS certificate the browser sees is from Cloudflare
Cloudflare decides if the request is legit, and either blocks or lets it pass
Cloudflare sends the request to your server, using HTTPS and either validating it against a public CA or not depending on your SSL settings in the Cloudflare dashboard (think of it as sslverify=false on CURL)
Your server receives the request FROM cloudflare servers, parses and returns a response
Cloudflare returns the response back to the browser, encrypted by a Cloudflare SSL certificate.
That means your server doesn't even need a SSL certificate, and you'd still be able to access it with HTTPS in a browser. This is called reverse proxy upstream SSL
Nono I understand all that, the thing I’m trying to determine is whether they actually do have access to authorize certificates on behalf of my domain which I’m now beginning to think they do because of Let’s Encrypt
Edit: to clarify I use Let’s Encrypt as my public facing CA - do CloudFlare use them also to issue certificates?
Are you using a Chromium-based browser, such as Google Chrome? Access your domain that uses Cloudflare. Click the little padlock icon next to the domain and click on "Certificate". What do you see?
I don't think they use Let's Encrypt, but this should be irrelevant. What certificate do you see on your browser when connecting to your domain that is protected by Cloudflare?
Is the DNS entry you're hitting for this domain being proxied to Cloudflare? (Orange cloud on the Cloudflare dashboard) If yes, it should be protected from bots, etc
Yeah, again I’m familiar with that. Some yes, some no. I checked one that is but regardless if they issue them with Let’s Encrypt, which it seems they do, it would be identical anyway.
I understand the point of they being able to issue the certificate, but's not the main point. For DNS entries that are proxied to Cloudflare, you should see a Cloudflare certificate on your browser. When you ping your site using the domain, you should see the requests passing through Cloudflare, as it is a man-in-the-middle by definition, and should encrypt the browser connection to cloudflare, and the encrypt the connection from cloudflare to your server and back again, making them the only tool capable of mass breaking SSL encryption on the internet
If it’s issued by the DNS level that’s actually a bigger problem because DNSSEC adoption is worse than SSL adoption before free SSL.
Okay, I'm totally unfamiliar with it. I'm surprised you're not getting a Cloudflare certificate on your browser when accessing a DNS entry that is proxied through them
Let it sink that Cloudflare has access to unencrypted data from 10% of the internet, and that it was created after an acquisition by the Department of Homeland Security, making it the only tool capable of mass breaking SSL communications for the data acquired through traffic-sniffing such as NSA
All good. There we actually do use Full (strict) - I explicitly chose to use CloudFlare for that SSL as it’s more or less purely presentational and the data is not sensitive.
I’d rather not give public details about the nature of all our security measures, etc. but that is not the case for all our domains.
I’ll agree with you now that CloudFlare has the ability, for the most part, to break SSL on many websites. But even without them specifically, I believe there would still be that risk with services or organizations such as Let’s Encrypt so I think if this is something that matters to you, you should really consider your suppliers.
I don’t know how much of that is useful data - e.g. I don’t at all use CloudFlare or third party SSL for API domains for example.
Finally, I don’t believe there is enough evidence to suggest that CloudFlare was created or is/was owned by the DHS.
I understand the DHS claim might be weak, but the founder of Cloudflare, Matthew Prince, said to a BBC reporter that Cloudflare started after DHS got really interested in the data he had built up with the Honeypot project, and DHS acquired it for the price that Matthew asked: 20k.
Five years later Mr Prince was doing a Master of Business Administration (MBA) at Harvard Business School, and the project was far from his mind, when he got an unexpected phone call from the US Department of Homeland Security asking him about the information he had gathered on attacks.
Mr Prince recalls: "They said 'do you have any idea how valuable the data you have is? Is there any way you would sell us that data?'.
"I added up the cost of running it, multiplied it by ten, and said 'how about $20,000 (£15,000)?'.
"It felt like a lot of money. That cheque showed up so fast."
Fast forward 1 and a half year from that call, and Cloudflare was a fully-fledged application integrated with tech giants such as Hostgator. They were tremendously efficient to develop the tool and commercialize it so fast. I think they got help.
All of those claims isolated don't tell much, but when you put everything together, a very clear picture appears. It's a picture that makes sense, based on observable facts, but yes, I'm fully aware it's a theory, that's one of the reasons why I asked those questions, to validate crucial aspects of this theory, such as the decryption power of Cloudflare.
The claim that Cloudflare proxies 10% of the traffic of the internet comes from Cloudflare themselves, and it's based on data from 2017, which was the latest available I could find. You can click the sources listed in the main thread to confirm.
Yes I believe the 10% claim - like you said I believe I heard that from CloudFlare themselves. I was saying I don’t know what percentage of that 10% is serving CloudFlare’s origin certificate - not their own.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
It’s an interesting theory but on thinking about I am inclined to disagree that it holds water.
Yes - you are able to use your own SSL certificate with CloudFlare without issuing them the private key. They only offer their SSL for users who want it (lessened security is better than no security is a fair way to argue that)
I would argue no based on point #1, but I suppose that would really depend on how many of that 10% use CloudFlare’s own HTTPS (and collect relevant data that would be otherwise unobtainable).
As far as I can tell the only possible way to have access to encrypted data is to hold the private key. I have no idea what percentage of the internet would be needed to start doing big data sniffing on such a scale but frankly I can believe that a nation state would likely have access to that kind of data regardless.
Going on the technology today - I hardly think it’s a matter of technical expertise. I find their product itself is fairly trivial (at least for the most part) with it being a glorified reverse proxy - the difficult and impressive part would be amassing the technical resources and infrastructure that the company has but that’s after 11 years. CloudFlare has a large internet backbone and, I believe, actually powers significant amounts of internet infrastructure. But if we were to consider the 2010 offering, I’m sure it’s not something out of the league of most developers with an understanding of the area.
I mean that really depends on the individuals and their abilities. With that said, however, I personally could easily see even a lone but abled Harvard educated student completing a project like that in a year and half.
I think you're overlooking the question number 1, which means you're overlooking the core of the issue.
As far as I know, there's no way to prevent Cloudflare from having access to the unencrypted data, even with the most strict SSL mode (Full). When you set the SSL certificate encryption mode to Full, it only means that the request will be encrypted between the user and Cloudflare servers, and encrypted between cloudflare servers and your server, while requiring validation from a CA authority.
If you set SSL Mode to Full not Full (strict), your own SSL certificate gets served - not the CloudFlare one.
Nope, that's not how it works. "Strict" only means the SSL certificate on your server, for the request between Cloudflare and your server will ALSO be validated against a public CA authority. With "full" only, it uses the certificate but doesn't care if it's validated by a CA authority or not
Either way, Cloudflare acts as a middle-man between both ends of the request, and has access to the unencrypted request and response, as it holds the private keys for both while transferring the request after going through it's internal firewalls
Think of it as "end-to-end, but with Cloudflare in the middle"
dev-to-uploads.s3.amazonaws.com/up...
That’s patently false as I can prove and encourage you to test the setting. The fact that my origin certificate is served without me giving them the private key means they must be serving it as-is without deceypting.
It doesn't need to have access to the private key of the certificate installed on your server, as Cloudflare is the man in the middle between request/response.
Okay but then how are they re-encrypting it with my certificate
They are not. Check the certificate on your browser when you visit your site that is protected by Cloudflare. The certificate is theirs.
Hang on - do CloudFlare issue Lets Encrypt certificates?
That means your server doesn't even need a SSL certificate, and you'd still be able to access it with HTTPS in a browser. This is called reverse proxy upstream SSL
Nono I understand all that, the thing I’m trying to determine is whether they actually do have access to authorize certificates on behalf of my domain which I’m now beginning to think they do because of Let’s Encrypt
Edit: to clarify I use Let’s Encrypt as my public facing CA - do CloudFlare use them also to issue certificates?
Are you using a Chromium-based browser, such as Google Chrome? Access your domain that uses Cloudflare. Click the little padlock icon next to the domain and click on "Certificate". What do you see?
I’m very much aware how to view the certificate. That’s not at all what I’m asking.
I don't think they use Let's Encrypt, but this should be irrelevant. What certificate do you see on your browser when connecting to your domain that is protected by Cloudflare?
They might have permission to issue a certificate on your behalf as they control the DNS, but that's not the core of the issue
A Let’s Encrypt certificate. That’s why I’m asking.
Is the DNS entry you're hitting for this domain being proxied to Cloudflare? (Orange cloud on the Cloudflare dashboard) If yes, it should be protected from bots, etc
Yeah, again I’m familiar with that. Some yes, some no. I checked one that is but regardless if they issue them with Let’s Encrypt, which it seems they do, it would be identical anyway.
If it’s issued by the DNS level that’s actually a bigger problem because DNSSEC adoption is worse than SSL adoption before free SSL.
I understand the point of they being able to issue the certificate, but's not the main point. For DNS entries that are proxied to Cloudflare, you should see a Cloudflare certificate on your browser. When you ping your site using the domain, you should see the requests passing through Cloudflare, as it is a man-in-the-middle by definition, and should encrypt the browser connection to cloudflare, and the encrypt the connection from cloudflare to your server and back again, making them the only tool capable of mass breaking SSL encryption on the internet
Okay, I'm totally unfamiliar with it. I'm surprised you're not getting a Cloudflare certificate on your browser when accessing a DNS entry that is proxied through them
Take your company website for instance
dev-to-uploads.s3.amazonaws.com/up...
Sorry, I peeked your profile looking for this information
Let it sink that Cloudflare has access to unencrypted data from 10% of the internet, and that it was created after an acquisition by the Department of Homeland Security, making it the only tool capable of mass breaking SSL communications for the data acquired through traffic-sniffing such as NSA
All good. There we actually do use Full (strict) - I explicitly chose to use CloudFlare for that SSL as it’s more or less purely presentational and the data is not sensitive.
I’d rather not give public details about the nature of all our security measures, etc. but that is not the case for all our domains.
How did they got 10% of the internet? By making it free. Well, at this point just re-read the thread VERY carefully if you agree with my claim above
Actually putting this aside for a second - let’s consider Let’s Encrypt, who no doubt have far more control
So, what do you think, after all?
I’ll agree with you now that CloudFlare has the ability, for the most part, to break SSL on many websites. But even without them specifically, I believe there would still be that risk with services or organizations such as Let’s Encrypt so I think if this is something that matters to you, you should really consider your suppliers.
I don’t know how much of that is useful data - e.g. I don’t at all use CloudFlare or third party SSL for API domains for example.
Finally, I don’t believe there is enough evidence to suggest that CloudFlare was created or is/was owned by the DHS.
I understand the DHS claim might be weak, but the founder of Cloudflare, Matthew Prince, said to a BBC reporter that Cloudflare started after DHS got really interested in the data he had built up with the Honeypot project, and DHS acquired it for the price that Matthew asked: 20k.
Fast forward 1 and a half year from that call, and Cloudflare was a fully-fledged application integrated with tech giants such as Hostgator. They were tremendously efficient to develop the tool and commercialize it so fast. I think they got help.
All of those claims isolated don't tell much, but when you put everything together, a very clear picture appears. It's a picture that makes sense, based on observable facts, but yes, I'm fully aware it's a theory, that's one of the reasons why I asked those questions, to validate crucial aspects of this theory, such as the decryption power of Cloudflare.
The claim that Cloudflare proxies 10% of the traffic of the internet comes from Cloudflare themselves, and it's based on data from 2017, which was the latest available I could find. You can click the sources listed in the main thread to confirm.
Yes I believe the 10% claim - like you said I believe I heard that from CloudFlare themselves. I was saying I don’t know what percentage of that 10% is serving CloudFlare’s origin certificate - not their own.